Sina Owolabi via FreeIPA-users wrote:
> Hi!
>
> I am running a small IPA domain (CentOS 7 servers, ipa version 4.5.4,
> api version 2.228), with one master, and two replicas, and I noticed
> that pki-tomcatd no longer works on the master, after attempting a
> reboot.
> pki-tomcatd works fine on the slaves.
> I noticed if I try to run IPA functions (dns record removal, hosts
> management, user passwords, etc), I receive responses like this:
>
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)
> But on the replicas, functions work fine.
> Please can someone guide me on how to fix this?

The CA log is in /var/log/pki/pki-tomcat/ca/debug. That may have some
pointers. I'd look at selftests.log first.

My guess is that some of the CA certificates have failed to renew.

getcert list | grep -i expires

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org